Re: Do we need to rename the Origin header?

On Fri, 03 Apr 2009 22:05:52 +0200, Bil Corry <bil@corry.biz> wrote:
> So the first question to ponder is if the referrer header really can  
> adequately replace Origin.  If it can, then we should the move this  
> discussion over to ietf-http-wg and work to make sure referrer is  
> updated in a way to make it useful for CSRF protection.  If it can not,  
> then we should discuss Origin here as the ietf-http-wg has made it very  
> clear that they are not interested.

FWIW, for CORS it's too late to rename Origin now that we have three  
implementations, one of which is shipping (IE) and two that are in beta  
(Firefox, Safari). (Anyone know which version of Chrome supports CORS?)

CORS defines the Origin header as well:

   http://www.w3.org/TR/2009/WD-cors-20090317/#origin-request-header

It has also been registered in the provisional header registry from IANA  
for quite a while.


-- 
Anne van Kesteren
http://annevankesteren.nl/

Received on Saturday, 4 April 2009 10:19:02 UTC